
            <!DOCTYPE html>
            <html lang="en">
            <head>
                <meta charset="UTF-8">
                <title>[k8s] 重新加入master节点</title>
            </head>
            <body>
            <a href="https://andyoung.blog.csdn.net">原作者博客</a>
            <div id="content_views" class="markdown_views prism-atom-one-light">
                    <svg xmlns="http://www.w3.org/2000/svg" style="display: none;">
                        <path stroke-linecap="round" d="M5,0 0,2.5 5,5z" id="raphael-marker-block" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);"></path>
                    </svg>
                    <blockquote> 
 <p>默认token的有效期为24小时，当过期之后，该token就不可用了，<br> 如果后续有nodes节点加入，解决方法如下：</p> 
</blockquote> 
<h3><a id="token_3"></a>重新生成新的token</h3> 
<h4><a id="_5"></a>方式一</h4> 
<p>在master上执行</p> 
<pre><code>kubeadm token create --print-join-command
</code></pre> 
<p>加上参数可以设置时间<code>--ttl duration</code> 默认值：24h0m0s</p> 
<p>生成默认有效期为24小时token，并且打印出加入 master的命令。</p> 
<pre><code>[root@a1 ~]# kubeadm token create --print-join-command
kubeadm join 192.168.0.183:6443 --token 7h2qff.z5n4f7dxm9vmg8x9 --discovery-token-ca-cert-hash sha256:3e2786a894fd9ed30bdcedf67731249416cd8064b4c49031eee55e0cdc8c7b1c
[root@a1 ~]# kubeadm token list
TOKEN                     TTL         EXPIRES                USAGES                   DESCRIPTION                                                EXTRA GROUPS
7h2qff.z5n4f7dxm9vmg8x9   23h         2022-11-17T05:11:28Z   authentication,signing   &lt;none&gt;                                                     system:bootstrappers:kubeadm:default-node-token
</code></pre> 
<p>再node节点执行上方打印出来的 <code>kubeadm join</code> 命令</p> 
<pre><code>kubeadm join 192.168.0.183:6443 --token 7h2qff.z5n4f7dxm9vmg8x9 --discovery-token-ca-cert-hash 
</code></pre> 
<p>完成</p> 
<h4><a id="_33"></a>方式二</h4> 
<pre><code>kubeadm token create
[root@k8s-master ~]# kubeadm token create
0w3a92.ijgba9ia0e3scicg
[root@k8s-master ~]# kubeadm token list
TOKEN                     TTL       EXPIRES                     USAGES                   DESCRIPTION                                                EXTRA GROUPS
0w3a92.ijgba9ia0e3scicg   23h       2019-09-08T22:02:40+08:00   authentication,signing   &lt;none&gt;                                                     system:bootstrappers:kubeadm:default-node-token
t0ehj8.k4ef3gq0icr3etl0   22h       2019-09-08T20:58:34+08:00   authentication,signing   The default bootstrap token generated by 'kubeadm init'.   system:bootstrappers:kubeadm:default-node-token
</code></pre> 
<h5><a id="casha256hash_47"></a>获取ca证书sha256编码hash值</h5> 
<pre><code>[root@k8s-master ~]# openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2&gt;/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
ce07a7f5b259961884c55e3ff8784b1eda6f8b5931e6fa2ab0b30b6a4234c09a
</code></pre> 
<p>–token：用于Master验证Node身份。<br> 要想集群首次引导启动时，支持bootstrap-token验证，APIServer需要开启下面的配置选项：<br> 　　--enable-bootstrap-token-auth=true</p> 
<pre><code> kubectl get secret -n kube-system|grep bootstrap-token
bootstrap-token-nh819o                           bootstrap.kubernetes.io/token         7         2d
</code></pre> 
<p>nh819o是token的id。pzcpohatm7p3a5cm是secret。<br> 当kubeadm join访问APIServer，会在请求的header中携带这一token。APIServer会根据token进行身份验证。<br> API会查询是否有bootstrap-token的前缀的secret对象。<br> 我们可以查看secret对象的内容。</p> 
<pre><code>kubectl get secret/bootstrap-token-nh819o -n kube-system -o yamlapiVersion: v1
data:
  auth-extra-groups: c3lzdGVtOmJvb3RzdHJhcHBlcnM6a3ViZWFkbTpkZWZhdWx0LW5vZGUtdG9rZW4=
  description: VGhlIGRlZmF1bHQgYm9vdHN0cmFwIHRva2VuIGdlbmVyYXRlZCBieSAna3ViZWFkbSBpbml0Jy4=
  expiration: MjAxOS0wNi0yMFQxMToyNDoyOCswODowMA==
  token-id: bmg4MTlv
  token-secret: cHpjcG9oYXRtN3AzYTVjbQ==
  usage-bootstrap-authentication: dHJ1ZQ==
  usage-bootstrap-signing: dHJ1ZQ==
kind: Secret
metadata:
  creationTimestamp: 2019-06-19T03:24:28Z
  name: bootstrap-token-nh819o
  namespace: kube-system
  resourceVersion: "160"
  selfLink: /api/v1/namespaces/kube-system/secrets/bootstrap-token-nh819o
  uid: bea32cfa-9241-11e9-a613-52540095a842
type: bootstrap.kubernetes.io/token
</code></pre> 
<p>对token-secret进行解码：</p> 
<pre><code>echo cHpjcG9oYXRtN3AzYTVjbQ==|base64 -d
pzcpohatm7p3a5cm
</code></pre> 
<p>这个与token参数的secret值一致。</p> 
<h3><a id="_99"></a>节点加入集群</h3> 
<pre><code>[root@k8s-node01 ~]# kubeadm join --token aa78f6.8b4cafc8ed26c34f --discovery-token-ca-cert-hash sha256:0fd95a9bc67a7bf0ef42da968a0d55d92e52898ec37c971bd77ee501d845b538 192.168.73.138:6443 --skip-preflight-check=true
</code></pre> 
<p>–discovery-token-ca-cert-hash：用于Node验证master身份。<br> 执行join时，API Server会下发ca.crt，这个证书会被node存放在/etc/kubernetes/pki目录下。<br> 然后kubeadm join再用ca设置公钥证书的hash值，与discovery-token-ca-cert-hash的值进行比对。</p> 
<h2><a id="k8s_kubeadm_join_nodekubeletcheck_Initial_timeout_of_40s_passed_109"></a>k8s执行 kubeadm join 加入node节点超时，报错[kubelet-check] Initial timeout of 40s passed.</h2> 
<pre><code>kubeadm join 172.28.18.69:6443 --token abcdef.0123456789abcdef     --discovery-token-ca-cert-hash sha256:6010baa60fc234e60cb353a54b4179afd3205cd6b4fc15f415117a77b6d8ac07
W0109 18:03:24.343831   16537 join.go:346] [preflight] WARNING: JoinControlPane.controlPlane settings will be ignored when control-plane flag is not set.
[preflight] Running pre-flight checks
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[kubelet-start] Downloading configuration for the kubelet from the "kubelet-config-1.18" ConfigMap in the kube-system namespace
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...
[kubelet-check] Initial timeout of 40s passed.
error execution phase kubelet-start: error uploading crisocket: timed out waiting for the condition
To see the stack trace of this error execute with --v=5 or higher
</code></pre> 
<blockquote> 
 <p>显示超时，加入节点失败</p> 
 <h3><a id="node_129"></a>node节点执行</h3> 
</blockquote> 
<pre><code>kubeadm reset -f
</code></pre> 
<h3><a id="_135"></a>再执行加入</h3> 
<pre><code>kubeadm join 172.28.18.69:6443 --token abcdef.0123456789abcdef     --discovery-token-ca-cert-hash sha256:6010baa60fc234e60cb353a54b4179afd3205cd6b4fc15f415117a77b6d8ac07
</code></pre> 
<h3><a id="token_143"></a>删除token</h3> 
<pre><code>kubeadm token delete [token-value] ...
</code></pre>
                </div>
            </body>
            </html>
            